TTDSG — Telecommunications Telemedia Data Protection Act

A SaaS website embeds Google Analytics, a Facebook pixel and a Hotjar tag — all before the cookie banner appears. A consumer protection body objects to the practice and demands a cease-and-desist declaration. Within hours the question arises which tags actually loaded before consent, which data flowed, and whether the consent prompt was lawfully designed in the first place. Without a tag inventory, these questions cannot be answered reliably.

The Telecommunications Telemedia Data Protection Act (TTDSG) is the German transposition of the ePrivacy Directive and, since the end of 2021, mainly governs access to users’ terminal devices — cookies, local storage, pixels and comparable techniques. It overrides the GDPR at the point where data are created in the first place through tracking.

Who is affected?

Effectively every organisation offering digital services in Germany. The TTDSG ties into the concept of telemedia, which is broad:

Website operators — from the club website to the corporate portal.
App providers — as soon as the app accesses the terminal device, Section 25 TTDSG applies even without a browser context.
SaaS providers — cookies and storage in the web app, embedded tracking SDKs.
Newsletter and marketing platforms — tracking pixels in emails fall under Section 25 TTDSG.
Providers of classical telecommunications services — telephony, email providers, messenger services; here the obligations on telecommunications secrecy also apply (Sections 3, 5 TTDSG).

Foreign providers are also in scope if they deliberately target the German market (German language, .de top-level domain, delivery to Germany).

What does the law require?

The TTDSG has two main regulatory areas: telecommunications secrecy (Sections 3-11) and the protection of privacy in terminal equipment (Sections 19-26). Relevant for information security are above all:

Section 25 TTDSG — Protection of privacy in terminal equipment — accessing the user’s terminal device (storing and reading out information) is only permitted with active, informed consent. Exception: functions that are strictly technically required.
Section 26 TTDSG — Recognised services for consent management — framework for recognised Personal Information Management Systems (PIMS); the implementing regulation is being prepared.
Section 19 TTDSG — Anonymisation and pseudonymisation — telemedia providers must make anonymous and pseudonymous use possible where reasonable and technically feasible.
Sections 3-5 TTDSG — Telecommunications secrecy — confidentiality of content and traffic data in telecommunications; breaches are a criminal offence (Section 27 TTDSG).
Section 11 TTDSG — Security of processing — providers of publicly available telecommunications services must take appropriate technical and organisational measures.

In practice

Maintain a tag inventory as a prerequisite. Without a complete list of all tracking scripts, pixels and SDKs, TTDSG compliance is not possible. A documented record of the embedded tools — including purpose, provider and legal basis — belongs in every privacy handbook. Every time a new tool is introduced, the inventory is updated and the cookie banner reviewed.

Treat the cookie banner as a technical architecture. Banners that offer a “Reject” button while quietly preloading tags in the background are a regular source of complaints. A technically clean solution blocks all non-essential tags before consent — typically via a consent-management tag that releases the scripts only after opt-in.

Make the consent record available long-term. Anyone who grants consent receives a record with the timestamp, banner version, chosen options and a means of withdrawal. Without this logging, the validity of the consent cannot be proven in a dispute.

Mapping to ISO 27001

The TTDSG has no direct ISO 27001 mirror — it governs a very specific slice of data processing. Several Annex A controls do substantially support TTDSG compliance, above all in the areas of privacy, classification and encryption.

Directly relevant controls:

A.5.34 — Privacy and protection of PII: the bridging control; requires compliance with all applicable data protection laws, including the TTDSG.
A.5.13 — Labelling of information: classification of tracking and telemetry data.
A.5.14 — Information transfer: secure transfer of telemetry data to third parties.
A.5.36 — Compliance with policies, rules and standards for information security: periodic compliance review against the TTDSG.
A.6.3 — Information security awareness, education and training: training for marketing, sales and web development on cookie law.
A.8.10 — Information deletion: timely deletion of traffic-related data.
A.8.11 — Data masking: pseudonymisation within the meaning of Section 19 TTDSG.
A.8.24 — Use of cryptography: protection of content data in telecommunications.

Typical audit findings

Tags load before consent — the classic finding. Google Analytics, marketing pixels or font CDNs load before the banner click.
No “Reject” button at the same level — the banner forces consent, the reject path is buried deep. Authorities and courts treat this as invalid consent.
Tracking pixels in newsletters without separate consent — the newsletter sign-up does not also cover the tracking.
External fonts and maps without consent — Google Fonts, Google Maps or similar services load in the background without asking the user.
Cookie lifetimes exceeded — marketing cookies with multi-year lifetimes without substantive justification.
No documented re-consent strategy — when the tracking stack changes, existing consents must be renewed; this step is frequently missing.

Sources

TTDSG full text (gesetze-im-internet.de) — official version
DSK guidance on telemedia — joint interpretation by the supervisory authorities
Federal Network Agency — Telecommunications and data protection — supervision of classical telecommunications services
BfDI — Notes on cookies and tracking — federal-level interpretation
Federal Court of Justice “Cookie consent II” — top-court clarification on active consent

ISO 27001 Controls Covered

A.5.13 Labelling of information A.5.14 Information transfer A.5.34 Privacy and protection of PII A.5.36 Compliance with policies, rules and standards for information security A.6.3 Information security awareness, education and training A.8.10 Information deletion A.8.11 Data masking A.8.24 Use of cryptography

Frequently asked questions

What is new in the TTDSG compared with GDPR?

Section 25 TTDSG governs access to terminal devices (cookies, pixels, local storage, browser fingerprinting) regardless of whether personal data are processed. This is the German transposition of Art. 5(3) of the ePrivacy Directive. The GDPR only kicks in one level deeper, when personal data are processed. In practice, any non-functionally-necessary tracking requires active consent -- even without personal reference.

Which cookies are allowed without consent?

Only cookies that are technically required for a function expressly requested by the user (Section 25(2) TTDSG). This includes session cookies for logins, shopping carts, language or security settings. Reach measurement, marketing, A/B testing and external fonts do not qualify -- nor does self-hosted analytics if it goes beyond pure functionality.

Who supervises the TTDSG and what does a breach cost?

The state-level data protection authorities are in charge. Fines can reach EUR 300,000 (Section 28 TTDSG). Competitors and consumer protection associations can also issue cease-and-desist notices under unfair competition law -- the economic damage from those notices often exceeds the fine risk.